PyPI - aws-cis-controls-assessment - Versions diffs - 1.1.3__py3-none-any.whl → 1.2.0__py3-none-any.whl - Mend

aws-cis-controls-assessment 1.1.3py3-none-any.whl → 1.2.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

docs/user-guide.md CHANGED Viewed

@@ -4,12 +4,13 @@ This comprehensive guide covers how to use the AWS CIS Controls Compliance Asses
 ## Production Framework Overview
-**✅ Complete Implementation**
-- 138 AWS Config rules implemented (133 CIS Controls + 5 bonus security rules)
-- 100% coverage across all Implementation Groups (IG1, IG2, IG3)
+**✅ Enhanced CIS Controls v8.1 Coverage**
+- **125 IG1 rules** implemented (75%+ coverage of CIS Controls v8.1 IG1 safeguards)
+- **50 new rules** added across security services, logging, encryption, inventory, configuration management, and backup security
+- **38 IG2 rules** and **12 IG3 rules** for enhanced and advanced security
 - Production-tested architecture with enterprise-grade error handling
 - Ready for immediate deployment in production environments
-- **NEW:** AWS Backup service controls for infrastructure assessment
+- **NEW:** Coverage metrics reporting showing safeguard coverage percentages
 ## Table of Contents
@@ -486,6 +487,138 @@ Each non-compliant finding includes:
 - Priority level (HIGH, MEDIUM, LOW)
 - Estimated effort
+## CIS Controls v8.1 IG1 Expansion (New in v1.2.0)
+### Overview
+Version 1.2.0 adds **50 new IG1 rules** across four phases, achieving **75%+ coverage** of CIS Controls v8.1 Implementation Group 1 safeguards. This expansion significantly enhances the framework's ability to assess essential cyber hygiene controls.
+### Coverage Metrics
+The framework now reports coverage metrics showing how many CIS Controls safeguards are assessed:
+- **IG1**: 42 of 56 safeguards covered (75%+) with 125 rules
+- **IG2**: 30 of 74 safeguards covered (~40%) with 38 rules
+- **IG3**: 15 of 153 safeguards covered (~10%) with 12 rules
+Coverage metrics appear in:
+- HTML reports (executive dashboard)
+- JSON reports (executive_summary section)
+- Assessment statistics
+### Phase 1 - Quick Wins (13 Rules)
+**Security Services (4 rules)**
+- GuardDuty enablement check
+- Inspector v2 enablement and configuration
+- Macie enablement for data discovery
+- IAM Access Analyzer deployment
+**Logging (4 rules)**
+- VPC Flow Logs enablement
+- ELB access logging
+- CloudFront distribution logging
+- WAF logging configuration
+**Encryption (5 rules)**
+- EBS encryption by default
+- RDS storage encryption
+- EFS file system encryption
+- DynamoDB table encryption with KMS
+- S3 bucket default encryption with KMS
+### Phase 2 - Core Security (15 Rules)
+**Patch Management (3 rules)**
+- SSM Patch Manager enablement
+- Patch baseline configuration
+- EC2 instance patch compliance
+**Access Control (5 rules)**
+- AWS SSO/Identity Center enablement
+- Identity Center configuration
+- Admin user MFA requirements
+- Cognito user pool MFA
+- VPN endpoint MFA
+**TLS/SSL Enforcement (5 rules)**
+- ALB HTTP to HTTPS redirection
+- ELB HTTPS-only listeners
+- RDS SSL connection requirements
+- API Gateway SSL enforcement
+- Redshift TLS requirements
+**Additional Encryption (3 rules)**
+- SNS topic KMS encryption
+- SQS queue encryption
+- CloudTrail S3 data events
+### Phase 3 - Advanced (15 Rules)
+**Inventory Management (5 rules)**
+- SSM Inventory enablement
+- AWS Config multi-region deployment
+- AMI inventory tracking
+- Lambda runtime inventory
+- IAM user inventory
+**Configuration Management (4 rules)**
+- Config conformance pack deployment
+- Security Hub standards enablement
+- Asset tagging compliance
+- Inspector assessment enablement
+**Version Management (3 rules)**
+- EC2 OS version support validation
+- RDS engine version support
+- Lambda runtime support
+**Access & Asset Management (3 rules)**
+- IAM user last access tracking
+- SSM Session Manager availability
+- Unauthorized asset detection
+### Phase 4 - Enhanced (7 Rules)
+**Data Classification (2 rules)**
+- Data resource classification tagging
+- S3 bucket classification tags
+**Network Security (2 rules)**
+- AWS Network Firewall deployment
+- Route 53 DNS Firewall enablement
+**Backup Security (5 rules)**
+- Backup vault encryption
+- Cross-region backup copy
+- Backup vault lock
+- Route 53 query logging
+- RDS backup retention
+### Using the New Rules
+All new rules are automatically included in IG1 assessments:
+```bash
+# Run complete IG1 assessment with all 125 rules
+aws-cis-assess assess --implementation-groups IG1
+# View coverage metrics in HTML report
+aws-cis-assess assess --implementation-groups IG1 --output-format html
+# Check specific phase rules
+aws-cis-assess list-controls --implementation-groups IG1
+```
+### Benefits
+1. **Comprehensive Coverage**: 75%+ of CIS Controls v8.1 IG1 safeguards
+2. **Security Services**: Validates enablement of AWS security services
+3. **Encryption**: Ensures encryption at rest and in transit
+4. **Inventory**: Tracks assets and software versions
+5. **Configuration**: Validates security configuration standards
+6. **Backup**: Assesses backup infrastructure security
 ## Next Steps
 - **Configuration Guide**: Learn about customizing assessments

aws_cis_controls_assessment-1.1.3.dist-info/METADATA DELETED Viewed

@@ -1,404 +0,0 @@
-Metadata-Version: 2.4
-Name: aws-cis-controls-assessment
-Version: 1.1.3
-Summary: Production-ready AWS CIS Controls compliance assessment framework with 145 comprehensive rules
-Author-email: AWS CIS Assessment Team <security@example.com>
-Maintainer-email: AWS CIS Assessment Team <security@example.com>
-License: MIT
-Project-URL: Homepage, https://github.com/yourusername/aws-cis-controls-assessment
-Project-URL: Documentation, https://github.com/yourusername/aws-cis-controls-assessment/blob/main/README.md
-Project-URL: Repository, https://github.com/yourusername/aws-cis-controls-assessment.git
-Project-URL: Bug Reports, https://github.com/yourusername/aws-cis-controls-assessment/issues
-Project-URL: Changelog, https://github.com/yourusername/aws-cis-controls-assessment/blob/main/CHANGELOG.md
-Project-URL: Source Code, https://github.com/yourusername/aws-cis-controls-assessment
-Keywords: aws,security,compliance,cis,controls,assessment,audit,enterprise,production
-Classifier: Development Status :: 5 - Production/Stable
-Classifier: Intended Audience :: System Administrators
-Classifier: Intended Audience :: Information Technology
-Classifier: Intended Audience :: Developers
-Classifier: License :: OSI Approved :: MIT License
-Classifier: Operating System :: OS Independent
-Classifier: Programming Language :: Python :: 3
-Classifier: Programming Language :: Python :: 3.8
-Classifier: Programming Language :: Python :: 3.9
-Classifier: Programming Language :: Python :: 3.10
-Classifier: Programming Language :: Python :: 3.11
-Classifier: Programming Language :: Python :: 3.12
-Classifier: Topic :: Security
-Classifier: Topic :: System :: Systems Administration
-Classifier: Topic :: Software Development :: Quality Assurance
-Classifier: Environment :: Console
-Classifier: Environment :: No Input/Output (Daemon)
-Requires-Python: >=3.8
-Description-Content-Type: text/markdown
-License-File: LICENSE
-Requires-Dist: boto3<2.0.0,>=1.26.0
-Requires-Dist: PyYAML<7.0,>=6.0
-Requires-Dist: click<9.0,>=8.0
-Requires-Dist: jinja2<4.0,>=3.0
-Requires-Dist: tabulate<1.0,>=0.9.0
-Provides-Extra: dev
-Requires-Dist: pytest<8.0,>=7.0.0; extra == "dev"
-Requires-Dist: pytest-mock<4.0,>=3.10.0; extra == "dev"
-Requires-Dist: pytest-cov<5.0,>=4.0.0; extra == "dev"
-Requires-Dist: black<24.0,>=22.0.0; extra == "dev"
-Requires-Dist: flake8<7.0,>=5.0.0; extra == "dev"
-Requires-Dist: mypy<2.0,>=1.0.0; extra == "dev"
-Requires-Dist: bandit<2.0,>=1.7.0; extra == "dev"
-Requires-Dist: safety<3.0,>=2.0.0; extra == "dev"
-Provides-Extra: test
-Requires-Dist: pytest<8.0,>=7.0.0; extra == "test"
-Requires-Dist: pytest-mock<4.0,>=3.10.0; extra == "test"
-Requires-Dist: pytest-cov<5.0,>=4.0.0; extra == "test"
-Provides-Extra: security
-Requires-Dist: bandit<2.0,>=1.7.0; extra == "security"
-Requires-Dist: safety<3.0,>=2.0.0; extra == "security"
-Dynamic: license-file
-# AWS CIS Controls Compliance Assessment Framework
-A production-ready, enterprise-grade framework for evaluating AWS account configurations against CIS Controls Implementation Groups (IG1, IG2, IG3) using AWS Config rule specifications. **100% CIS Controls coverage achieved** with 163 implemented rules (131 CIS Controls + 32 bonus security enhancements).
-> **Production Status**: This framework is production-ready and actively deployed in enterprise environments. It provides comprehensive point-in-time compliance assessments while we recommend [AWS Config](https://aws.amazon.com/config/) for ongoing continuous compliance monitoring and automated remediation.
-## 🎯 Key Features
-- **✅ Complete Coverage**: 163 total rules implemented (131 CIS Controls + 32 bonus)
-- **✅ Dual Scoring System**: Both weighted and AWS Config-style scoring methodologies
-- **✅ Enhanced HTML Reports**: Control names, working search, improved remediation display
-- **✅ Enterprise Ready**: Production-tested with enterprise-grade architecture
-- **✅ Performance Optimized**: Handles large-scale assessments efficiently
-- **✅ Multi-Format Reports**: JSON, HTML, and CSV with detailed remediation guidance
-- **✅ No AWS Config Required**: Direct AWS API calls based on Config rule specifications
-- **✅ AWS Backup Controls**: 6 comprehensive backup infrastructure controls (3 IG1 + 3 IG2)
-- **✅ Audit Logging Controls**: 7 comprehensive audit log management controls (CIS Control 8)
-- **✅ Access & Configuration Controls**: 14 comprehensive identity, access, and secure configuration controls (CIS Controls 4, 5, 6)
-## 🚀 Quick Start
-### Installation
-```bash
-# Install from PyPI (production-ready)
-pip install aws-cis-controls-assessment
-# Or install from source for development
-git clone <repository-url>
-cd aws-cis-controls-assessment
-pip install -e .
-```
-### Basic Usage
-```bash
-# Run complete assessment (all 163 rules) - defaults to us-east-1
-aws-cis-assess assess --aws-profile my-aws-profile
-# Assess multiple regions
-aws-cis-assess assess --aws-profile my-aws-profile --regions us-east-1,us-west-2
-# Assess specific Implementation Group using short flag (defaults to us-east-1)
-aws-cis-assess assess -p my-aws-profile --implementation-groups IG1 --output-format json
-# Generate comprehensive HTML report (defaults to us-east-1)
-aws-cis-assess assess --aws-profile production --output-format html --output-file compliance-report.html
-# Enterprise multi-region assessment with multiple formats
-aws-cis-assess assess -p security-audit --implementation-groups IG1,IG2,IG3 --regions all --output-format html,json --output-dir ./reports/
-# Quick assessment with default profile and default region (us-east-1)
-aws-cis-assess assess --output-format json
-```
-## 📊 Implementation Groups Coverage
-### IG1 - Essential Cyber Hygiene (96 Rules) ✅
-**100% Coverage Achieved**
-- Asset Inventory and Management (6 rules)
-- Identity and Access Management (15 rules)
-- Data Protection and Encryption (8 rules)
-- Network Security Controls (20 rules)
-- Logging and Monitoring (13 rules)
-- Backup and Recovery (17 rules) - **6 AWS Backup service controls (3 IG1 + 3 IG2)**
-- Security Services Integration (5 rules)
-- Configuration Management (9 rules)
-- Vulnerability Management (5 rules)
-### IG2 - Enhanced Security (+74 Rules) ✅
-**100% Coverage Achieved**
-- Advanced Encryption at Rest (6 rules)
-- Certificate Management (2 rules)
-- Network High Availability (7 rules)
-- Enhanced Monitoring (3 rules)
-- CodeBuild Security (4 rules)
-- Vulnerability Scanning (1 rule)
-- Network Segmentation (5 rules)
-- Auto-scaling Security (1 rule)
-- Enhanced Access Controls (8 rules)
-- AWS Backup Advanced Controls (3 rules) - **Vault lock, reporting, restore testing**
-- Audit Log Management (7 rules) - **Control 8 comprehensive logging coverage**
-- Secure Configuration (5 rules) - **Control 4: session duration, security groups, VPC DNS, RDS admin, EC2 least privilege**
-- Account Management (4 rules) - **Control 5: service account docs, admin policies, SSO, inline policies**
-- Access Control Management (5 rules) - **Control 6: Access Analyzer, permission boundaries, SCPs, Cognito MFA, VPN MFA**
-### IG3 - Advanced Security (+1 Rule) ✅
-**100% Coverage Achieved**
-- API Gateway WAF Integration (1 rule)
-- Critical for preventing application-layer attacks
-- Required for high-security environments
-### Bonus Security Rules (+32 Rules) ✅
-**Additional Value Beyond CIS Requirements**
-- Enhanced logging security (`cloudwatch-log-group-encrypted`)
-- Network security enhancement (`incoming-ssh-disabled`)
-- Data streaming encryption (`kinesis-stream-encrypted`)
-- Network access control (`restricted-incoming-traffic`)
-- Message queue encryption (`sqs-queue-encrypted-kms`)
-- Route 53 DNS query logging (`route53-query-logging-enabled`)
-- Plus 26 additional security enhancements
-- Application Load Balancer access logs (`alb-access-logs-enabled`)
-- CloudFront distribution access logs (`cloudfront-access-logs-enabled`)
-- WAF web ACL logging (`waf-logging-enabled`)
-### 🔍 CIS Control 8: Audit Log Management (13 Rules)
-**Comprehensive Audit Logging Coverage**
-Control 8 focuses on collecting, alerting, reviewing, and retaining audit logs of events that could help detect, understand, or recover from an attack. Our implementation provides comprehensive coverage across AWS services:
-**DNS Query Logging**
-- `route53-query-logging-enabled`: Validates Route 53 hosted zones have query logging enabled to track DNS queries for security investigations
-**Load Balancer & CDN Logging**
-- `alb-access-logs-enabled`: Ensures Application Load Balancers capture access logs for traffic analysis
-- `elb-logging-enabled`: Validates Classic Load Balancers have access logging enabled
-- `cloudfront-access-logs-enabled`: Ensures CloudFront distributions log content delivery requests
-**Log Retention & Management**
-- `cloudwatch-log-retention-check`: Validates log groups have appropriate retention periods (minimum 90 days)
-- `cw-loggroup-retention-period-check`: Additional log retention validation
-**CloudTrail Monitoring**
-- `cloudtrail-insights-enabled`: Enables anomaly detection for unusual API activity
-**Configuration Tracking**
-- `config-recording-all-resources`: Ensures AWS Config tracks all resource configuration changes
-**Application Security Logging**
-- `waf-logging-enabled`: Validates WAF web ACLs capture firewall events
-- `wafv2-logging-enabled`: Ensures WAFv2 web ACLs have logging enabled
-**Database & Service Logging**
-- `rds-logging-enabled`: Validates RDS instances have appropriate logging enabled
-- `elasticsearch-logs-to-cloudwatch`: Ensures Elasticsearch domains send logs to CloudWatch
-- `codebuild-project-logging-enabled`: Validates CodeBuild projects capture build logs
-- `redshift-cluster-configuration-check`: Ensures Redshift clusters have audit logging enabled
-### 🔐 CIS Controls 4, 5, 6: Access & Configuration Controls (14 Rules)
-**Comprehensive Identity, Access Management, and Secure Configuration Coverage**
-These controls focus on secure configuration of enterprise assets, account management, and access control management. Our implementation provides comprehensive coverage across AWS IAM, networking, and identity services:
-**Control 4 - Secure Configuration (5 rules)**
-- `iam-max-session-duration-check`: Validates IAM role session duration does not exceed 12 hours to limit credential exposure
-- `security-group-default-rules-check`: Ensures default security groups have no inbound or outbound rules to prevent unintended access
-- `vpc-dns-resolution-enabled`: Validates VPC DNS settings (enableDnsHostnames and enableDnsSupport) are properly configured
-- `rds-default-admin-check`: Ensures RDS instances don't use default admin usernames (postgres, admin, root, mysql, administrator)
-- `ec2-instance-profile-least-privilege`: Validates EC2 instance profile permissions follow least privilege principles
-**Control 5 - Account Management (4 rules)**
-- `iam-service-account-inventory-check`: Validates service accounts have required documentation tags (Purpose, Owner, LastReviewed)
-- `iam-admin-policy-attached-to-role-check`: Ensures administrative policies are attached to roles, not directly to users
-- `sso-enabled-check`: Validates AWS IAM Identity Center is configured and enabled for centralized identity management
-- `iam-user-no-inline-policies`: Ensures IAM users don't have inline policies (only managed policies or group memberships)
-**Control 6 - Access Control Management (5 rules)**
-- `iam-access-analyzer-enabled`: Validates IAM Access Analyzer is enabled in all active regions for external access detection
-- `iam-permission-boundaries-check`: Ensures permission boundaries are configured for roles with elevated privileges
-- `organizations-scp-enabled-check`: Validates AWS Organizations Service Control Policies are enabled and in use
-- `cognito-user-pool-mfa-enabled`: Ensures Cognito user pools have MFA enabled for enhanced authentication security
-- `vpn-connection-mfa-enabled`: Validates Client VPN endpoints require MFA authentication
-## 🏗️ Production Architecture
-### Core Components
-- **Assessment Engine**: Orchestrates compliance evaluations across all AWS regions
-- **Control Assessments**: 149 individual rule implementations with robust error handling
-- **Scoring Engine**: Calculates compliance scores and generates executive metrics
-- **Reporting System**: Multi-format output with detailed remediation guidance
-- **Resource Management**: Optimized for enterprise-scale deployments with memory management
-### Enterprise Features
-- **Multi-threading**: Parallel execution for improved performance
-- **Error Recovery**: Comprehensive error handling and retry mechanisms
-- **Audit Trail**: Complete compliance audit and logging capabilities
-- **Resource Monitoring**: Real-time performance and resource usage tracking
-- **Scalable Architecture**: Handles assessments across hundreds of AWS accounts
-## 📋 Requirements
-- **Python**: 3.8+ (production tested on 3.8, 3.9, 3.10, 3.11)
-- **AWS Credentials**: Configured via AWS CLI, environment variables, or IAM roles
-- **Permissions**: Read-only access to AWS services being assessed
-- **Memory**: Minimum 2GB RAM for large-scale assessments
-- **Network**: Internet access for AWS API calls
-- **Default Region**: Assessments default to `us-east-1` unless `--regions` is specified
-## 📈 Business Value
-### Immediate Benefits
-- **Compliance Readiness**: Instant CIS Controls compliance assessment
-- **Risk Reduction**: Identify and prioritize security vulnerabilities
-- **Audit Support**: Generate comprehensive compliance reports
-- **Cost Optimization**: Identify misconfigured and unused resources
-- **Operational Efficiency**: Automate manual compliance checking
-### Long-term Value
-- **Continuous Improvement**: Track compliance posture over time
-- **Regulatory Compliance**: Support for multiple compliance frameworks
-- **Security Automation**: Foundation for automated remediation
-- **Enterprise Integration**: Integrate with existing security tools
-- **Future-Proof**: Extensible architecture for evolving requirements
-## 🛡️ Security & Compliance
-### Security Features
-- **Read-Only Access**: Framework requires only read permissions
-- **No Data Storage**: No sensitive data stored or transmitted
-- **Audit Logging**: Complete audit trail of all assessments
-- **Error Handling**: Secure error handling without data leakage
-### Compliance Support
-- **CIS Controls**: 100% coverage of Implementation Groups 1, 2, and 3
-- **AWS Well-Architected**: Aligned with security pillar best practices
-- **Industry Standards**: Supports SOC 2, NIST, ISO 27001 mapping
-- **Regulatory Requirements**: HIPAA, PCI DSS, FedRAMP compatible
-- **Custom Frameworks**: Extensible for organization-specific requirements
-## 📚 Documentation
-### Core Documentation
-- **[Installation Guide](docs/installation.md)**: Detailed installation instructions and requirements
-- **[User Guide](docs/user-guide.md)**: Comprehensive user manual and best practices
-- **[CLI Reference](docs/cli-reference.md)**: Complete command-line interface documentation
-- **[Dual Scoring Guide](docs/dual-scoring-implementation.md)**: Weighted vs AWS Config scoring methodologies
-- **[Scoring Methodology](docs/scoring-methodology.md)**: Detailed explanation of weighted scoring
-- **[AWS Config Comparison](docs/scoring-comparison-aws-config.md)**: Comparison with AWS Config approach
-- **[Troubleshooting Guide](docs/troubleshooting.md)**: Common issues and solutions
-- **[Developer Guide](docs/developer-guide.md)**: Development and contribution guidelines
-### Technical Documentation
-- **[Assessment Logic](docs/assessment-logic.md)**: How compliance assessments work
-- **[Config Rule Mappings](docs/config-rule-mappings.md)**: CIS Controls to AWS Config rule mappings
-- **[HTML Report Improvements](docs/html-report-improvements.md)**: Enhanced HTML report features and customization
-## 🤝 Support & Community
-### Getting Help
-- **Documentation**: Comprehensive guides and API documentation
-- **GitHub Issues**: Bug reports and feature requests
-- **Enterprise Support**: Commercial support available for enterprise deployments
-### Contributing
-- **Code Contributions**: Pull requests welcome with comprehensive tests
-- **Documentation**: Help improve documentation and examples
-- **Bug Reports**: Detailed bug reports with reproduction steps
-- **Feature Requests**: Enhancement suggestions with business justification
-## 📄 License
-MIT License - see [LICENSE](LICENSE) file for details.
-## 🏆 Project Status
-**✅ Production Ready**: Complete implementation with 100% CIS Controls coverage
-**✅ Enterprise Deployed**: Actively used in production environments
-**✅ Continuously Maintained**: Regular updates and security patches
-**✅ Community Supported**: Active development and community contributions
-**✅ Future-Proof**: Extensible architecture for evolving requirements
----
-**Framework Version**: 1.1.0 (in development)
-**CIS Controls Coverage**: 151/151 rules (100%) + 9 bonus rules
-**Production Status**: ✅ Ready for immediate enterprise deployment
-**Last Updated**: January 2026
-## 🆕 What's New in Version 1.1.0
-### Access & Configuration Controls (CIS Controls 4, 5, 6)
-Fourteen new controls added to assess identity, access management, and secure configuration:
-**Control 4 - Secure Configuration (5 rules)**:
-1. **iam-max-session-duration-check** - Validates IAM role session duration does not exceed 12 hours
-   - Ensures temporary credentials have limited exposure window
-   - Checks MaxSessionDuration property on all IAM roles
-   - Compliant if session duration ≤ 43200 seconds (12 hours)
-2. **security-group-default-rules-check** - Ensures default security groups have no rules
-   - Validates default security groups are restricted (no inbound/outbound rules)
-   - Prevents unintended access through default security groups
-   - Encourages use of custom security groups with explicit rules
-3. **vpc-dns-resolution-enabled** - Validates VPC DNS configuration
-   - Checks both enableDnsHostnames and enableDnsSupport are enabled
-   - Ensures proper DNS resolution within VPCs
-   - Required for many AWS services to function correctly
-4. **rds-default-admin-check** - Ensures RDS instances don't use default admin usernames
-   - Detects default usernames: postgres, admin, root, mysql, administrator, sa
-   - Case-insensitive detection
-   - Reduces risk of credential guessing attacks
-5. **ec2-instance-profile-least-privilege** - Validates EC2 instance profile permissions
-   - Checks for overly permissive policies (AdministratorAccess, PowerUserAccess)
-   - Detects wildcard permissions (Action: "*", Resource: "*")
-   - Ensures least privilege principle for EC2 workloads
-**Control 5 - Account Management (4 rules)**:
-6. **iam-service-account-inventory-check** - Validates service account documentation
-   - Ensures service accounts have required tags: Purpose, Owner, LastReviewed
-   - Identifies service accounts by naming convention or tags
-   - Supports compliance and access review processes
-7. **iam-admin-policy-attached-to-role-check** - Ensures admin policies on roles, not users
-   - Detects administrative policies attached directly to IAM users
-   - Encourages role-based access with temporary credentials
-   - Improves audit trail and access management
-8. **sso-enabled-check** - Validates AWS IAM Identity Center (SSO) is configured
-   - Checks for SSO instance existence
-   - Encourages centralized identity management
-   - Supports integration with corporate identity providers
-9. **iam-user-no-inline-policies** - Ensures IAM users don't have inline policies
-   - Detects inline policies attached to users
-   - Encourages use of managed policies for reusability
-   - Simplifies policy management and auditing
-**Control 6 - Access Control Management (5 rules)**:
-10. **iam-access-analyzer-enabled** - Validates Access Analyzer in all regions
-    - Ensures IAM Access Analyzer is enabled regionally
-    - Detects resources shared with external entities
-    - Provides continuous monitoring for unintended access
-11. **iam-permission-boundaries-check** - Validates permission boundaries for elevated roles
-    - Identifies roles with elevated privileges
-    - Checks for permission boundary configuration
-    - Prevents privilege escalation in delegated administration
-12. **organizations-scp-enabled-check** - Validates Service Control Policies are in use
-    - Checks account is part of AWS Organizations
-    - Verifies SCPs are enabled (FeatureSet includes ALL)
-    - Ensures custom SCPs exist beyond default FullAWSAccess
-13. **cognito-user-pool-mfa-enabled** - Ensures Cognito user pools have MFA
-    - Validates MfaConfiguration is 'ON' or 'OPTIONAL'
-    - Supports both SMS and TOTP authentication methods
-    - Enhances authentication security for applications
-14. **vpn-connection-mfa-enabled** - Validates Client VPN endpoints require MFA
-    - Checks VPN authentication options for MFA requirement
-    - Supports Active Directory, SAML, and certificate-based MFA
-    - Ensures secure remote access to AWS resources
-These controls complement the existing audit logging and backup controls by providing comprehensive coverage of identity, access management, and secure configuration practices. Total rules: 163 (149 previous + 14 new). See [Config Rule Mappings](docs/config-rule-mappings.md) for detailed documentation.

{aws_cis_controls_assessment-1.1.3.dist-info → aws_cis_controls_assessment-1.2.0.dist-info}/WHEEL RENAMED Viewed

File without changes

{aws_cis_controls_assessment-1.1.3.dist-info → aws_cis_controls_assessment-1.2.0.dist-info}/entry_points.txt RENAMED Viewed

File without changes

{aws_cis_controls_assessment-1.1.3.dist-info → aws_cis_controls_assessment-1.2.0.dist-info}/licenses/LICENSE RENAMED Viewed

File without changes

{aws_cis_controls_assessment-1.1.3.dist-info → aws_cis_controls_assessment-1.2.0.dist-info}/top_level.txt RENAMED Viewed

File without changes

aws-cis-controls-assessment 1.1.3__py3-none-any.whl → 1.2.0__py3-none-any.whl

aws-cis-controls-assessment 1.1.3py3-none-any.whl → 1.2.0py3-none-any.whl